Palo Alto Networks Certified Network Security Engineer PCNSE (PCNSE) — Questions 151225

516 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

A multinational corporation uses Palo Alto Networks NGFWs to secure user access to cloud-based productivity applications. Users authenticate via SAML using an external identity provider. Recently, the helpdesk has received multiple complaints that when users log in to the first application in the morning, they are prompted for SAML authentication. After authenticating successfully, if they navigate to a different application (e.g., from email to document editing) within the same browser tab, they are again prompted to re-authenticate, which disrupts their workflow. The firewall authentication logs show that each application access triggers a new SAML authentication request, even though the user’s session is still active. The administrator has verified that the SAML identity provider is properly configured, and the authentication profile on the firewall uses a unique identifier per user. The company wants to minimize re-authentication prompts while maintaining security. Which action should the administrator take?

A.Enable Single Logout (SLO) on the identity provider and configure the firewall to accept SLO requests.
B.Configure a session token lifetime in the authentication profile so that the firewall can reuse the same authentication token across multiple applications.
C.Reduce the authentication timeout value in the authentication profile to force more frequent re-authentication.
D.Remove the authentication enforcement from the security rules for these applications and rely on user-IP mapping.
AnswerB

Setting a session token lifetime allows the firewall to cache the SAML token and reuse it for subsequent authentications within the specified period, thus reducing redundant prompts.

Why this answer

The issue is that the firewall is not caching the SAML authentication token across different application requests. Configuring a session token lifetime in the authentication profile allows the firewall to reuse the same authentication token for subsequent requests within the defined time window, reducing re-authentication prompts. Option A (SLO) is used for ending sessions, not avoiding re-authentication.

Option B (reducing timeout) would increase prompts. Option D (removing enforcement) weakens security. Therefore, option C is correct.

152
Multi-Selecthard

Which TWO are prerequisites for using Authentication Policy? (Choose two.)

Select 2 answers
A.User-ID is configured
B.The firewall is in transparent mode
C.SSL decryption is enabled
D.A security policy rule exists with user attributes
E.An authentication profile is configured
AnswersA, E

User-ID is required to map users to IP addresses and use user attributes in policies.

Why this answer

Options A and D are correct. User-ID must be configured to identify users, and an authentication profile must be defined to specify the authentication method. Option B (SSL decryption) is not required.

Option C (security policy with user attribute) is not a prerequisite, though often used. Option E (transparent mode) is false.

153
MCQeasy

A network engineer wants to allow remote users to access internal applications via GlobalProtect, but only for specific users. Which configuration method should be used to restrict access?

A.Use user-ID on the GlobalProtect gateway.
B.Configure group mapping on the GlobalProtect portal.
C.Create a HIP profile and assign it to the gateway.
D.Configure a security policy with user-ID matching the required users.
AnswerD

Security policies can use user-ID to allow or deny traffic based on authenticated user.

Why this answer

Option D is correct because the security policy is the enforcement point that controls access to internal applications. By configuring a security policy with user-ID matching the required users, the firewall can restrict traffic based on the authenticated user identity, ensuring only specific users can reach the internal applications via GlobalProtect.

Exam trap

The trap here is that candidates often confuse the portal and gateway functions, thinking that user or group restrictions configured on the portal (like group mapping) will control application access, when in fact the security policy on the firewall is the only place to enforce which users can access specific internal resources.

How to eliminate wrong answers

Option A is wrong because user-ID on the GlobalProtect gateway is used to map IP addresses to usernames for visibility and policy enforcement, but it does not itself restrict access; it merely provides identity information. Option B is wrong because group mapping on the GlobalProtect portal is used to define which user groups can authenticate and download the portal configuration, but it does not control access to specific internal applications after the tunnel is established. Option C is wrong because a HIP profile is used to enforce endpoint compliance (e.g., antivirus, disk encryption) and is not a method to restrict access based on specific user identity; it checks the health of the client device, not the user.

154
MCQhard

A network engineer configures a Source NAT policy on a Palo Alto Networks firewall to translate internal private IP addresses to the public IP of the external interface. The NAT rule is configured with source zone 'internal', destination zone 'external', and uses 'interface address' as the translated address. The associated security rule allows traffic from 'internal' to 'external' with the translated IP as the source. After committing, users cannot access the internet. Traceroute from an internal host to 8.8.8.8 shows: Hop 1: 192.168.1.1 (firewall internal IP), Hop 2: * * * (no response). The firewall's external interface has a public IP and is in the 'external' zone. What is the most likely cause of the issue?

A.The security rule's action is set to 'deny' for the translated IP.
B.The NAT rule's source zone is configured as 'external' instead of 'internal'.
C.The firewall's default route is missing.
D.The NAT rule is configured with destination zone 'any' but should be 'external'.
AnswerB

If the source zone is 'external', the internal traffic will not match the NAT rule, so no source translation occurs.

Why this answer

The NAT rule's source zone must match the zone of the incoming traffic. If the source zone is set to 'external' instead of 'internal', the firewall will not apply the NAT rule to traffic arriving from the internal zone. As a result, packets are forwarded without translation, and the security rule expecting the translated IP as the source will not match, causing traffic to be dropped.

The traceroute showing no response beyond the firewall's internal IP confirms that packets are not being translated or forwarded correctly.

Exam trap

The trap here is that candidates often focus on the destination zone or security rule configuration, overlooking that the NAT rule's source zone must match the actual traffic ingress zone, not the zone of the translated address.

How to eliminate wrong answers

Option A is wrong because the security rule is explicitly stated to allow traffic with the translated IP as the source; a deny action would be inconsistent with the scenario and would not explain the traceroute behavior. Option C is wrong because a missing default route would cause the firewall to have no path to the internet, but the traceroute shows the firewall's internal interface responding, indicating the firewall is reachable and routing is likely present. Option D is wrong because setting the destination zone to 'any' would actually broaden the match and not prevent NAT from being applied; the issue is with the source zone, not the destination zone.

155
MCQmedium

A company uses App-ID to identify traffic on their Palo Alto Networks firewall. They notice that a particular application, custom-db-sync, is not being identified correctly. The traffic uses a proprietary protocol over TCP port 4444. The firewall currently has a security rule allowing any application on that port. Which step should the engineer take to enable App-ID to correctly identify custom-db-sync?

A.Create a custom App-ID for custom-db-sync using the Application Object and define the appropriate signatures.
B.Enable unknown application identification in the security rule.
C.Use the default application override for port 4444 to allow traffic.
D.Change the security rule to use 'application-default' as the service to rely on port-based identification.
AnswerA

Custom App-IDs allow identification of proprietary protocols by defining signatures.

Why this answer

Option A is correct because App-ID relies on application signatures to identify traffic, not just port numbers. Since custom-db-sync uses a proprietary protocol over TCP 4444, the firewall cannot match it to any built-in App-ID. Creating a custom App-ID with appropriate signatures (e.g., protocol decoders, pattern matches) allows the firewall to correctly identify this custom application, enabling policy enforcement beyond port-based rules.

Exam trap

The trap here is that candidates often confuse 'application override' (which bypasses App-ID) with 'custom App-ID' (which enhances App-ID), leading them to choose option C, thinking it will force identification when it actually disables App-ID for that traffic.

How to eliminate wrong answers

Option B is wrong because enabling unknown application identification only allows the firewall to treat unidentified traffic as 'unknown-tcp' or 'unknown-udp', but it does not create a specific signature to identify custom-db-sync; the traffic would still not be recognized as that custom application. Option C is wrong because an application override bypasses App-ID entirely, forcing the firewall to treat all traffic on port 4444 as a specified application, which defeats the purpose of using App-ID to correctly identify the custom protocol. Option D is wrong because using 'application-default' as the service only changes the port binding to the default port for the identified application, but since custom-db-sync is not identified at all, this action does not enable its recognition; App-ID must first identify the application before 'application-default' can be relevant.

156
MCQhard

During SSL decryption, the firewall logs show 'ssl_decrypt_unsupported_cipher' errors for several connections. What is the likely cause and solution?

A.The firewall's SSL/TLS service profile does not include the cipher suites used by the client or server.
B.The firewall does not support decryption of that traffic.
C.The decryption certificate is not trusted by the client.
D.The decryption rule is not matching the traffic.
AnswerA

The cipher is unsupported; adding it to the profile resolves the issue.

Why this answer

The 'ssl_decrypt_unsupported_cipher' error indicates that the firewall's SSL/TLS proxy cannot negotiate a common cipher suite with the client or server during the decryption handshake. This occurs when the cipher suites configured in the firewall's SSL/TLS service profile do not include the ciphers offered by the client or required by the server. The solution is to update the service profile to include the necessary cipher suites, such as those based on AES-GCM or CHACHA20-POLY1305, ensuring compatibility.

Exam trap

The trap here is that candidates often confuse cipher suite mismatch with certificate trust issues or rule misconfiguration, but the specific error message 'ssl_decrypt_unsupported_cipher' directly points to the cipher suite list in the SSL/TLS service profile.

How to eliminate wrong answers

Option B is wrong because the firewall does support decryption of that traffic; the error is specifically about cipher mismatch, not a lack of decryption capability. Option C is wrong because a certificate trust issue would generate errors like 'certificate validation failed' or 'untrusted issuer', not 'unsupported cipher'. Option D is wrong because if the decryption rule were not matching, the traffic would bypass decryption entirely, and no SSL decryption error would be logged.

157
Matchingmedium

Match each CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays firewall model, version, and uptime

Lists currently active security rules

Reboots the firewall

Captures packets for troubleshooting

Enters configuration mode to make changes

Why these pairings

These are common commands used in PAN-OS CLI.

158
Multi-Selecthard

Which THREE are valid methods for User-ID mapping in PAN-OS?

Select 3 answers
A.DHCP snooping
B.Netflow collection
C.SNMP traps
D.Active Directory polling
E.Captive Portal
AnswersA, D, E

DHCP snooping maps IP addresses to MAC addresses which are linked to users via authentication.

Why this answer

DHCP snooping is a valid User-ID mapping method because the PAN-OS firewall can act as a DHCP snooping device, listening to DHCPACK messages from the DHCP server. By extracting the client IP address and MAC address from these packets, the firewall can map the IP to a username if the MAC is known via other means (e.g., Active Directory). This method is agentless and works well in environments where DHCP is used for IP address assignment.

Exam trap

The trap here is that candidates often confuse network monitoring protocols like Netflow and SNMP with user identification mechanisms, mistakenly thinking they can provide user-to-IP mappings when they are designed for traffic analysis and device management, respectively.

159
MCQmedium

Refer to the exhibit. A user is trying to authenticate via SAML and receives this error. What is the most likely cause?

A.The IdP certificate has expired.
B.The user's account is locked.
C.The SAML request timeout is set too short.
D.The firewall's SP entity ID does not match the audience configured in the IdP.
AnswerD

The audience in the SAML response must match the SP entity ID; otherwise, the firewall rejects it.

Why this answer

Option B is correct because the 'Invalid audience' error indicates that the audience in the SAML response (provided by the IdP) does not match the expected SP entity ID configured on the firewall. Option A is incorrect because certificate expiry would cause a different error. Option C is incorrect because account lockout would result in an authentication failure with a different reason.

Option D is incorrect because timeout would show a different error.

160
MCQmedium

A firewall has the routing table shown. A packet arrives on ethernet1/2 with source IP 10.0.0.50 and destination IP 10.0.0.100. Which route will be used for forwarding?

A.10.0.0.0/24 via 10.0.0.2 ethernet1/2
B.10.0.1.0/24 via 10.0.0.3 ethernet1/3
C.10.0.0.0/8 via 10.0.0.1 ethernet1/1
D.0.0.0.0/0 via 10.0.0.1 ethernet1/1
AnswerA

Longest prefix match: /24 is more specific than /8.

Why this answer

The firewall performs a longest-prefix match on the routing table. The destination IP 10.0.0.100 matches the 10.0.0.0/24 route (prefix length 24) more specifically than the 10.0.0.0/8 route (prefix length 8) or the default route. Since the packet arrived on ethernet1/2 and the matching route points to the same interface, the route via 10.0.0.2 ethernet1/2 is selected.

Exam trap

The trap here is that candidates often pick the default route or the classful /8 route without considering the longest-prefix match rule, mistakenly assuming that a broader match or the default route is sufficient for forwarding.

How to eliminate wrong answers

Option B is wrong because the destination IP 10.0.0.100 does not fall within the 10.0.1.0/24 subnet; the route is for a different network. Option C is wrong because although 10.0.0.100 is within the 10.0.0.0/8 range, the route has a shorter prefix length (8) than the 10.0.0.0/24 route (24), so the longest-prefix match rule selects the /24 route instead. Option D is wrong because the default route (0.0.0.0/0) is only used when no more specific route matches; here, a specific route (10.0.0.0/24) exists and is preferred.

161
MCQeasy

A network administrator is troubleshooting decryption failures for HTTPS traffic to a financial website. The firewall is configured with SSL Forward Proxy decryption policy that applies to the 'financial-services' URL category. The firewall uses an internal CA certificate to sign generated certificates. Users report a certificate error in their browsers when accessing 'https://www.bankofalice.com'. The error says the certificate is not trusted, even though the internal CA certificate is installed on all client devices. The administrator checks the firewall logs and sees no decryption errors; the session is being decrypted successfully. The administrator also confirms that the decryption policy is active and the firewall is not bypassing decryption. What is the most likely cause of the certificate error?

A.The website uses Certificate Pinning which causes the browser to reject the firewall's certificate.
B.The firewall's decryption certificate does not have the correct subject name for the website.
C.The firewall's decryption certificate is expired.
D.The decryption policy is configured to 'no-decrypt' for that traffic.
AnswerA

Certificate pinning causes the browser to expect a specific certificate hash; even a validly signed certificate from the firewall will be rejected.

Why this answer

Option A is correct because certificate pinning (HTTP Public Key Pinning or HPKP) causes the browser to reject any certificate that does not match the pinned public key, even if the firewall's certificate is signed by a trusted internal CA. Since the firewall generates a new certificate on-the-fly with its own key pair, the browser detects the mismatch and displays a certificate error, despite successful decryption at the firewall.

Exam trap

The trap here is that candidates often assume a certificate error means a CA trust issue or expired certificate, but the key clue is that the internal CA is installed and decryption succeeds—pointing to a pinning or key mismatch scenario that bypasses normal certificate validation.

How to eliminate wrong answers

Option B is wrong because the firewall's SSL Forward Proxy decryption automatically generates a certificate with the correct subject name (CN/SAN) matching the target website's hostname, so a subject name mismatch would cause a different error (e.g., name mismatch) and would likely be logged as a decryption error. Option C is wrong because if the decryption certificate were expired, the firewall would typically fail to generate a valid certificate or log a decryption error, and the browser would show an expiration error rather than an untrusted certificate error. Option D is wrong because the administrator confirmed the decryption policy is active and not bypassing decryption, and a 'no-decrypt' action would result in no decryption at all, not a certificate error from a generated certificate.

162
Multi-Selecteasy

Which TWO factors should be considered when designing an authentication enforcement strategy? (Choose two.)

Select 2 answers
A.Application type
B.Time of day
C.User group membership
D.Source IP address
E.Destination port
AnswersA, C

Authentication can be enforced per application, e.g., only for web-browsing.

Why this answer

Options A and C are correct. User group membership allows group-based enforcement, and application type allows context-aware enforcement. Option B (time of day) is possible but not a primary factor; option D (source IP) is often used but not a primary design factor; option E (destination port) is less relevant for authentication.

163
Multi-Selectmedium

Which THREE components are required to deploy the Palo Alto Networks User-ID agent in a typical Windows environment to map users to IP addresses?

Select 3 answers
A.Firewall management server (Panorama)
B.Active Directory domain to query user information
C.LDAP server (non-AD) for authentication
D.User-ID agent software installed on a Windows server
E.Mapping database for storing IP-to-user mappings
AnswersB, D, E

AD provides user identity data.

Why this answer

The User-ID agent requires the agent software, a directory service (like Active Directory) for user lookup, and a mapping database to store IP-to-user mappings. An LDAP server is already implied by AD, and the firewall management server is not required for the agent itself.

164
Multi-Selectmedium

Which TWO of the following are prerequisites for configuring high availability on Palo Alto Networks firewalls? (Choose two.)

Select 2 answers
A.Both firewalls must have management IPs in different subnets
B.Both firewalls must have the same interface naming
C.Both firewalls must have the same licenses
D.Both firewalls must run the same software version
E.Both firewalls must be the same model
AnswersD, E

Same PAN-OS version is required.

Why this answer

Options B and D are correct. Identical model and software version are required. Option A is wrong because licensing can differ.

Option C is wrong because interface naming can be different as long as configuration is same. Option E is wrong because management IPs must be in the same subnet.

165
MCQmedium

A company has two Palo Alto Networks firewalls in an active/passive high availability pair. The firewalls are configured with a virtual IP (VIP) for the internal network. Recently, the passive firewall was upgraded to a new PAN-OS version. After the upgrade, the active firewall is still running the old version. The administrator wants to perform a failover to make the upgraded firewall active. However, when the administrator attempts to manually failover, the new passive firewall does not become active. The HA synchronization status shows 'synchronized' but the preemption is disabled. The administrator checks the HA configuration and finds that the peer's version is not compatible. What should the administrator do to successfully failover to the upgraded firewall?

A.Disable HA, then reconfigure HA on both firewalls
B.Upgrade the active firewall to the same PAN-OS version as the passive firewall
C.Force the failover via the CLI using 'request high-availability state suspend' on the active firewall
D.Downgrade the passive firewall back to the old version
AnswerB

Both firewalls must run the same version for proper HA operation; upgrading the active is the correct action.

Why this answer

Option B is correct because PAN-OS requires both firewalls in an active/passive HA pair to run the same major version to form a compatible HA connection. Even if synchronization status shows 'synchronized', the version mismatch prevents failover from succeeding. Upgrading the active firewall to match the passive firewall's version restores version compatibility and allows the failover to proceed.

Exam trap

The trap here is that candidates assume 'synchronized' status means HA is fully functional and failover will work, but they overlook that version compatibility is a prerequisite for stateful failover, not just configuration sync.

How to eliminate wrong answers

Option A is wrong because disabling and reconfiguring HA does not address the root cause—the version mismatch—and would cause unnecessary downtime and configuration loss. Option C is wrong because the 'request high-availability state suspend' command on the active firewall would force it to suspend, but the passive firewall still cannot become active due to the incompatible PAN-OS version, so failover would fail. Option D is wrong because downgrading the passive firewall back to the old version would revert the upgrade, defeating the purpose of making the upgraded firewall active, and is not a best practice for maintaining security and feature updates.

166
Multi-Selectmedium

A network engineer is troubleshooting high latency on the firewall. Which THREE commands from the CLI should be used to identify potential bottlenecks? (Choose three.)

Select 3 answers
A.show running resource-monitor
B.show session info
C.show log traffic
D.show system resources
E.show counter global
AnswersA, D, E

This command shows dataplane resource utilization, useful for identifying CPU/memory bottlenecks.

Why this answer

Options B, C, and D are correct. 'show running resource-monitor' displays CPU and memory usage per dataplane, 'show counter global' shows packet drop counters, and 'show system resources' provides overall CPU/memory/disk usage. Option A is incorrect because 'show session info' shows active sessions but not performance bottlenecks. Option E is incorrect because 'show log traffic' is for historical logs, not real-time troubleshooting.

167
MCQeasy

A firewall's management interface becomes unresponsive. The administrator can still ping the management IP. What is the most likely cause?

A.Management interface IP conflict
B.CPU overload
C.HTTP/HTTPS service disabled
D.Management profile misconfiguration
AnswerC

If the HTTPS service is disabled, the web UI will be unreachable, but ICMP (ping) can still respond if allowed.

Why this answer

When the management interface is unresponsive to HTTPS/SSH but still responds to ICMP (ping), it typically indicates that the management services (HTTP/HTTPS) are disabled on the interface. Ping operates at the network layer (ICMP) and does not require the management daemon to be running, while HTTPS requires the web server process to be enabled and bound to the management interface. This is a common misconfiguration in Palo Alto Networks firewalls where the 'HTTP' or 'HTTPS' service is unchecked under the Management Interface Settings.

Exam trap

The trap here is that candidates assume any unresponsive management interface must be a network or resource issue, overlooking that ICMP and management services use separate processes, so ping success does not guarantee management service availability.

How to eliminate wrong answers

Option A is wrong because an IP conflict would cause intermittent connectivity or complete failure for all traffic, including ICMP, due to ARP instability; ping would not reliably succeed. Option B is wrong because CPU overload would affect all processes, including ICMP response handling, making ping also fail or become highly latent. Option D is wrong because a management profile misconfiguration affects which source IPs or interfaces can access management services, but it does not disable the HTTP/HTTPS service itself; the service would still be listening but may reject connections based on the profile.

168
MCQeasy

A security administrator wants to block traffic from IP address 192.168.1.100 to the internet. The firewall has a security policy that allows all outbound traffic. Which action should be taken to most efficiently block this specific host?

A.Configure a Zone Protection profile to block the IP.
B.Create a new security rule with source IP 192.168.1.100 and action 'deny', placed before the allow rule.
C.Apply a QoS policy to limit the bandwidth from that IP to zero.
D.Add the IP to an External Dynamic List and reference it in a security rule.
AnswerB

A simple deny rule is the most efficient method.

Why this answer

Option B is correct because the most efficient way to block a specific host in a Palo Alto Networks firewall is to create a security rule with a source IP of 192.168.1.100 and action 'deny', placed before the existing allow rule. Security rules are evaluated in order from top to bottom, and the first matching rule determines the action; placing the deny rule first ensures the host's traffic is blocked without affecting other traffic.

Exam trap

The trap here is that candidates may think a Zone Protection profile or QoS policy can block a specific host, but these features are designed for different purposes (threat prevention and traffic shaping, respectively) and do not provide the precise, rule-based blocking that a security rule offers.

How to eliminate wrong answers

Option A is wrong because Zone Protection profiles are used to protect against flood attacks, reconnaissance, and other network-based threats at the zone level, not to block specific IP addresses from accessing the internet; they operate on traffic patterns, not individual host policies. Option C is wrong because a QoS policy limits bandwidth but does not block traffic; setting bandwidth to zero would still allow the traffic to be processed and potentially dropped due to congestion, but it is not a reliable or efficient method to block a specific host. Option D is wrong because using an External Dynamic List (EDL) is an indirect method that requires additional configuration and external management, making it less efficient than a direct security rule for blocking a single static IP address.

169
MCQhard

A large enterprise with 10,000+ users is deploying GlobalProtect with SAML authentication. The IdP is Azure AD. Users report that authentication sometimes fails during peak hours with error 'SAML response timeout'. Which design change would most effectively address this issue?

A.Implement a secondary IdP as a fallback
B.Reduce the SAML authentication timeout to 30 seconds to force faster responses
C.Switch to certificate-based authentication instead of SAML
D.Increase the SAML authentication timeout to 120 seconds
AnswerD

Longer timeout accommodates IdP response delays during peak load.

Why this answer

Option D is correct because increasing the SAML authentication timeout to 120 seconds accommodates delays in Azure AD response generation during peak loads. The default timeout (often 60 seconds) may be insufficient when the IdP is under heavy demand, causing the firewall to abort the SAML exchange prematurely. Extending the timeout allows the IdP more time to complete the assertion, reducing timeout errors without altering the authentication method.

Exam trap

The trap here is that candidates may think reducing the timeout improves performance, but in reality, it increases failures when the IdP is slow, while increasing the timeout is the correct remedy for IdP-side latency.

How to eliminate wrong answers

Option A is wrong because adding a secondary IdP as a fallback does not address the root cause—slow responses from the primary IdP during peak hours; it only shifts the problem to another IdP that may also experience delays. Option B is wrong because reducing the SAML authentication timeout to 30 seconds would exacerbate the issue, causing even more frequent timeouts when the IdP is slow. Option C is wrong because switching to certificate-based authentication abandons SAML entirely, which is a drastic change that does not solve the specific timeout issue and may not meet the enterprise's requirement for SAML-based single sign-on.

170
MCQmedium

An administrator notices that traffic for a known application 'ms-update' is being blocked. The security policy has a rule allowing 'ms-update' from the internal network to the internet. However, the traffic is being denied. What should the administrator check first?

A.Confirm that the source and destination users are correctly configured.
B.Ensure that a security profile is applied to the rule to allow the application.
C.Check if the rule is placed after a deny-all rule.
D.Verify that the firewall is correctly identifying the traffic as 'ms-update' using App-ID.
AnswerD

If the traffic is not identified as 'ms-update', the rule will not match.

Why this answer

App-ID is the core mechanism that identifies applications by inspecting traffic beyond port numbers. If the firewall misidentifies the traffic (e.g., as 'ssl' or 'web-browsing' instead of 'ms-update'), the security rule specifically allowing 'ms-update' will not match, and the traffic will be denied by the implicit deny rule. Therefore, verifying App-ID identification is the first logical step.

Exam trap

The trap here is that candidates assume a rule allowing an application by name will automatically match traffic on standard ports, forgetting that App-ID must first correctly identify the application for the rule to apply.

How to eliminate wrong answers

Option A is wrong because source and destination users are irrelevant when the rule is based on application identification, not user identity; user configuration would only matter if the rule had a User-ID condition. Option B is wrong because security profiles (e.g., antivirus, vulnerability protection) are applied after the rule matches and do not affect whether the rule permits or denies traffic; they only inspect allowed traffic. Option C is wrong because a deny-all rule at the end of the policy list would block all unmatched traffic, but the question states a rule allowing 'ms-update' exists; the issue is that the rule is not matching, not that it is placed incorrectly relative to a deny-all rule.

171
Multi-Selecteasy

Which TWO of the following are valid methods to collect logs from a Palo Alto Networks firewall for reporting and forensics?

Select 2 answers
A.Export to Microsoft Azure Sentinel directly without any intermediate.
B.Local storage on the firewall's management disk (MP) and export via the web interface.
C.SNMPv3 traps for all log types.
D.Email alerts for all threat logs.
E.Syslog to an external log collector.
AnswersB, E

Logs are stored locally and can be exported.

Why this answer

Option B is correct because the firewall's management plane (MP) includes a local log storage partition that can hold logs (e.g., traffic, threat, system) and allows export via the web interface (Monitor > Logs > Export). This provides a built-in method for log collection without requiring external infrastructure. Option E is correct because syslog (UDP/TCP, RFC 3164 or RFC 5424) is a standard protocol supported by Palo Alto firewalls to forward all log types to an external collector for centralized reporting and forensics.

Exam trap

The trap here is that candidates confuse 'log collection' with 'alerting mechanisms' (SNMP traps and email alerts), assuming they can replace full log export, but Palo Alto firewalls require dedicated log forwarding methods (syslog, Panorama, or local export) for complete reporting and forensics.

172
MCQhard

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. During a failover test, the passive firewall becomes active, but traffic stops passing through the new active firewall. The management interface on the new active firewall is reachable. What is the most likely cause?

A.The ARP table was not synchronized during failover.
B.The HA2 link is down, causing session table mismatch.
C.The new active firewall does not have a valid license.
D.The session setup rate exceeded the new active firewall's capacity.
AnswerD

If the session setup rate is too high, the firewall may drop new sessions while still being manageable.

Why this answer

Option D is correct because when a passive firewall becomes active, it must process all new session setups from scratch. If the session setup rate exceeds the new active firewall's capacity (e.g., due to licensing limits on session count or throughput), traffic will be dropped even though the management interface remains reachable. The management plane is separate from the data plane, so management access can still work while forwarding fails.

Exam trap

The trap here is that candidates often assume a management interface being reachable means the data plane is fully operational, but in Palo Alto firewalls, the management plane and data plane are independent; a license or capacity limit can block data forwarding while management remains accessible.

How to eliminate wrong answers

Option A is wrong because ARP tables are synchronized via HA1 (control link) during failover, and the new active firewall would learn ARP entries from the active firewall's forwarding table; a missing ARP table would cause local connectivity issues but not a complete traffic stop. Option B is wrong because the HA2 link is used for session synchronization, but even if it is down, the new active firewall would still have its own session table from before failover; a mismatch would not prevent all traffic from passing. Option C is wrong because license validity is checked at boot time and does not affect ongoing traffic forwarding; the firewall would still pass traffic even without a valid license, though it might restrict certain features.

173
Multi-Selectmedium

A company wants to enforce multi-factor authentication (MFA) for employees accessing a specific internal application through the firewall. Which two configurations are required on the Palo Alto Networks firewall? (Choose two.)

Select 2 answers
A.Define an authentication profile that includes an MFA method
B.Configure a SAML identity provider
C.Create an authentication policy rule that references the application
D.Install the GlobalProtect client on user endpoints
E.Enable SSL decryption on the firewall
AnswersA, C

The authentication profile defines the authentication method (e.g., MFA via OTP or SAML) and must be configured to provide the second factor.

Why this answer

To enforce MFA, an authentication policy rule must be created to trigger authentication for the target application, and an authentication profile containing the MFA method must be defined and referenced. Option B triggers the authentication process, and option D defines the MFA method. Option A is not required if using a different MFA method.

Option C is not required for MFA. Option E is not needed for browser-based MFA.

174
MCQeasy

A company has a pair of Palo Alto Networks firewalls in active/passive HA. The active firewall manages all traffic. Recently, the network team reconfigured the virtual router by adding a new static route to a remote subnet via a next-hop IP on the same interface. After committing, they noticed that the passive firewall's management IP became unreachable. The active firewall continues to pass traffic normally. What is the most likely cause?

A.The passive firewall has lost its management route
B.The HA link is down
C.The static route is causing a routing loop
D.The virtual router configuration is not synchronized to the passive peer
AnswerA

The new static route added in the virtual router likely overwrote the default route or specifically the management subnet route, making the management IP unreachable on the passive firewall.

Why this answer

In an active/passive HA pair, the passive firewall synchronizes its configuration from the active firewall, including virtual router settings. However, management IP reachability depends on the management network's routing table, which is separate from the dataplane virtual router. Adding a static route to the virtual router does not automatically add a corresponding management route.

The passive firewall's management IP became unreachable because it lost its default gateway or specific management route, likely due to a misconfiguration or failure to synchronize the management plane's routing information, which is not part of the HA config sync.

Exam trap

The trap here is that candidates assume all routing configurations, including management routes, are synchronized in HA, but Palo Alto Networks separates management plane routing from dataplane virtual routers, and only the dataplane config is synced.

How to eliminate wrong answers

Option B is wrong because if the HA link were down, the passive firewall would transition to active state or show HA link failure, but the scenario states the passive firewall's management IP is unreachable while the active firewall continues to pass traffic normally, indicating the HA link is likely operational. Option C is wrong because a routing loop would cause traffic disruption for the active firewall as well, but the active firewall continues to pass traffic normally, and a static route to a remote subnet via a next-hop on the same interface does not inherently create a loop unless there is a conflicting route. Option D is wrong because virtual router configuration is synchronized to the passive peer as part of the HA config sync; the passive firewall would have the same static route, but the issue is specifically with the management IP reachability, which is governed by the management plane's routing table, not the dataplane virtual router.

175
MCQmedium

A cloud-based application is accessed via URL filtering and uses SAML authentication. After a user changes their password in the identity provider (Okta), they are unable to authenticate to the application. The firewall is configured with an authentication policy that uses SAML. Other users who have not changed passwords can authenticate successfully. What is the most likely issue?

A.The User-ID mapping on the firewall is outdated and still contains the user's old credentials.
B.The SAML token for the user has expired.
C.The firewall's SAML certificate is invalid.
D.The application does not support password changes.
AnswerA

The firewall might have cached the user's authentication state; clearing the user mapping or re-authenticating can resolve the issue.

Why this answer

Option B is correct because the firewall may have cached the user's old group memberships or authentication state via User-ID mapping, and the password change might not be reflected immediately. Option A is not related to password change. Option C would affect all users.

Option D is application-specific and not a firewall issue.

176
MCQhard

A Palo Alto Networks firewall experiences high CPU utilization consistently above 90%. Which of the following is the most effective first step to identify the cause?

A.Use the CLI command 'show running resource-monitor' to view CPU usage per module.
B.Review the security policy rule hit counts to see if a specific rule is hit frequently.
C.Check the number of active sessions using 'show session info'.
D.Inspect the packet buffer usage with 'show counter packet-buffer'.
AnswerA

Resource monitor breaks down CPU usage by dataplane and control plane, helping identify the culprit.

Why this answer

Option B is correct because 'show running resource-monitor' provides CPU, memory, and session utilization data that can pinpoint which component is using CPU. Option A is wrong because session count alone does not indicate high CPU. Option C is wrong because packet buffer usage is usually memory-related.

Option D is wrong because security policy rule hit count does not directly show CPU impact.

177
MCQmedium

An administrator adds a new security rule to allow outbound 'web-browsing' and 'ssl' traffic. After committing, users report that some HTTPS sites are still blocked. Traffic logs show that the traffic matches the new rule but is denied. What is the most likely cause?

A.The service 'application-default' does not match the port used by the site.
B.A decryption policy is required for HTTPS traffic.
C.The application filter does not include 'ssl'.
D.The rule is placed too low in the rulebase.
AnswerA

Application-default restricts matching to the standard port for the application, so sites on non-standard ports do not match.

Why this answer

The correct answer is A because when a security rule uses the 'application-default' service, the firewall only allows traffic that matches the default port for the specified application. For 'web-browsing' (HTTP), the default port is TCP 80, and for 'ssl' (HTTPS), the default port is TCP 443. If an HTTPS site uses a non-standard port (e.g., TCP 8443), the traffic matches the rule based on the application but is denied because the service 'application-default' does not recognize that port as valid for the application.

Exam trap

The trap here is that candidates often assume 'application-default' allows any port for the application, when in reality it strictly enforces the default port, causing denial for HTTPS on non-standard ports.

How to eliminate wrong answers

Option B is wrong because a decryption policy is not required for HTTPS traffic to be allowed; decryption is optional and used for inspection, not for basic forwarding. Option C is wrong because the application filter does not need to include 'ssl' separately; the rule already specifies 'ssl' as an application, and the issue is with the service, not the application filter. Option D is wrong because the traffic logs show the traffic matches the new rule, indicating the rule is being evaluated and matched; placement lower in the rulebase would cause a different rule to match first, not a match with denial.

178
MCQeasy

A user complains that they cannot access internal resources via GlobalProtect. The firewall shows the user is connected with an IP address from the tunnel pool. Which log type should the administrator check first to determine if traffic is being allowed or denied?

A.System logs.
B.Traffic logs.
C.Threat logs.
D.User-ID logs.
AnswerB

Traffic logs record every session, including action (allow/deny), source/destination, and application.

Why this answer

The administrator should check Traffic logs first because they record every session attempt, showing whether traffic was allowed or denied based on security policies. Since the user is connected with a tunnel IP, the issue is likely policy-based, and Traffic logs provide the source, destination, and action (allow/deny) for each session, directly revealing if the traffic is being blocked.

Exam trap

The trap here is that candidates may think User-ID logs (Option D) are relevant because the user is connected, but User-ID logs only show authentication mappings, not traffic policy decisions.

How to eliminate wrong answers

Option A is wrong because System logs record system-level events (e.g., process restarts, configuration changes) and do not show per-session allow/deny decisions for user traffic. Option C is wrong because Threat logs capture only traffic that matches intrusion prevention or antivirus signatures, not general allow/deny decisions. Option D is wrong because User-ID logs map usernames to IP addresses but do not indicate whether traffic is permitted or denied by security policies.

179
MCQmedium

An organization is migrating from a legacy firewall to a Palo Alto Networks firewall and needs to ensure that all existing application-based policies are accurately replicated. The engineer exports the configuration from the old firewall and imports it using the 'Config Audit' feature. After import, the engineer notices that many security policy rules have the application set to 'any' instead of the specific applications from the old firewall. What is the most likely reason?

A.The old firewall did not support application identification, so the import process defaulted to 'any'.
B.The import process uses a different naming convention for applications, causing a mismatch.
C.The administrator did not correctly map the old firewall's application signatures to Palo Alto Networks application IDs during the migration.
D.The 'Config Audit' tool does not import applications; it only identifies rule conflicts.
AnswerC

Without proper mapping, the import process cannot translate legacy app signatures to PAN-OS app IDs, resulting in 'any'.

Why this answer

Option C is correct because the 'Config Audit' feature in Palo Alto Networks firewalls compares rule configurations but does not automatically translate third-party application signatures into Palo Alto Networks App-IDs. The administrator must manually map the old firewall's application definitions to the correct App-IDs during migration; otherwise, the imported rules default to 'any' for the application field, as the system cannot infer the intended application without explicit mapping.

Exam trap

The trap here is that candidates assume the 'Config Audit' feature automatically converts all legacy application definitions to Palo Alto Networks App-IDs, when in fact it only audits configuration differences and requires manual mapping for application-specific policies.

How to eliminate wrong answers

Option A is wrong because the question states the old firewall had application-based policies, implying it supported application identification; the import process defaults to 'any' due to missing mapping, not because the old firewall lacked app-ID support. Option B is wrong because while naming conventions may differ, the 'Config Audit' tool does not attempt to match or translate application names; it simply imports the rule structure, leaving applications as 'any' if no mapping is provided. Option D is wrong because the 'Config Audit' tool does import and compare rule configurations, including applications, but it cannot automatically map third-party application signatures to Palo Alto Networks App-IDs without manual intervention.

180
MCQmedium

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. Traffic fails over correctly, but after a failover, existing sessions from external users to internal servers are broken. The security team wants to prevent this disruption. Which feature must be enabled?

A.Link Monitoring
B.Virtual Router Redundancy
C.Session State Synchronization
D.Path Monitoring
AnswerC

Session sync ensures the passive firewall has a copy of active sessions so they survive failover.

Why this answer

Session State Synchronization (option C) is required because it ensures that session table entries—including TCP state, sequence numbers, and application-layer metadata—are replicated from the active firewall to the passive firewall in real time. Without this, after a failover, the newly active firewall has no knowledge of existing sessions, causing it to drop packets and forcing clients to re-establish connections. This feature is specifically designed to maintain stateful session continuity during HA failovers.

Exam trap

The trap here is that candidates confuse high-availability failover mechanisms (like link monitoring or path monitoring) with stateful session replication, assuming that any HA feature will preserve sessions, but only Session State Synchronization specifically copies the session table to the standby device.

How to eliminate wrong answers

Option A is wrong because Link Monitoring only checks the physical link status of interfaces and triggers a failover if a link goes down; it does not replicate session state. Option B is wrong because Virtual Router Redundancy (e.g., VRRP) provides gateway redundancy at Layer 3 but does not synchronize firewall session state; it is unrelated to stateful session preservation. Option D is wrong because Path Monitoring monitors the reachability of specific destination IP addresses (e.g., next-hop gateways) to trigger failover, but it does not synchronize session tables between HA peers.

181
Multi-Selecthard

Which THREE are common causes of high CPU utilization on a Palo Alto Networks firewall? (Choose three.)

Select 3 answers
A.Large number of dynamic IP address group lookups.
B.Inefficient security policy rules causing excessive session processing.
C.Insufficient disk space on the log partition.
D.Excessive logging due to very frequent session matches.
E.BGP prefix flapping causing route recalculations.
AnswersA, B, D

Dynamic group lookups can be CPU intensive.

Why this answer

A large number of dynamic IP address group lookups can cause high CPU utilization because each lookup requires the firewall to evaluate the dynamic group membership in real time, often involving LDAP or other directory queries. This process is computationally expensive, especially when policies trigger frequent lookups for every new session, leading to sustained CPU spikes.

Exam trap

The trap here is that candidates often confuse disk space issues (Option C) with CPU utilization, but disk space problems affect storage and logging, not CPU directly, while BGP flapping (Option E) is a control-plane issue that is less commonly cited as a top cause of high CPU in Palo Alto Networks documentation.

182
MCQmedium

An organization uses Microsoft Active Directory for User-ID mapping. Some users are not being mapped because their IP addresses change frequently due to DHCP. Which approach should be implemented to ensure these users are identified?

A.Increase the IP-to-user mapping timeout
B.Use GlobalProtect with pre-logon token
C.Deploy a User-ID agent with WMI probing
D.Configure an Authentication Policy to enforce user authentication for their traffic
AnswerD

When users authenticate, the firewall maps their current IP to the user.

Why this answer

Option D is correct because configuring Authentication Policy to force explicit authentication for those users will create IP-to-user mappings when they authenticate. Option A is incorrect because increasing timeout does not solve the mapping issue. Option B is incorrect because User-ID agent with WMI may not keep up with rapid changes.

Option C is incorrect because GlobalProtect with pre-logon is for machine authentication.

183
MCQhard

A financial institution operates a pair of PA-5260 firewalls in active/active HA using Virtual Wire mode. They are experiencing intermittent asymmetric traffic flows causing session setup failures. The firewall logs show sessions being created with a one-sided flow. Which configuration change is most likely to resolve this issue?

A.Enable symmetric return on the virtual wire interfaces.
B.Disable session offloading between the HA peers.
C.Set the HA timer to asymmetric routing active/passive mode.
D.Configure session distribution to use IP hash instead of round-robin.
AnswerD

IP hash ensures all packets of a session go to the same firewall, preventing asymmetric flow issues.

Why this answer

Option B is correct because configuring session distribution to use IP hash (based on source/destination IP) ensures that all packets for a session go to the same firewall, avoiding asymmetry. Option A is incorrect because 'symmetric return' is not a standard option in Virtual Wire mode. Option C is incorrect because disabling session offloading would prevent the firewalls from sharing session information, exacerbating the problem.

Option D is incorrect because there is no such HA timer setting for asymmetric routing.

184
MCQeasy

A firewall is configured with User-ID mapping via domain controller polling. Some users are not being mapped correctly. What is the most likely cause?

A.The firewall is not configured for TLS decryption.
B.The user-ID agent is not installed.
C.The firewall does not have network access to the domain controller.
D.The domain controller security policy is blocking RPC traffic.
AnswerD

RPC is used for User-ID polling; if blocked, mapping fails.

Why this answer

The correct answer is D because domain controller security policy blocking RPC traffic prevents User-ID from querying user information.

185
MCQhard

A large enterprise uses GlobalProtect with SAML authentication integrated with Azure AD for remote access. Users on laptops report intermittent authentication failures when moving between different office locations or switching wireless access points. The firewall clusters are geographically distributed and connected via MPLS. The authentication policy is configured correctly and the SAML identity provider is reachable. What should the administrator check first to resolve the issue?

A.Increase the SAML session timeout on the identity provider to 24 hours.
B.Configure authentication caching at the firewall to store user credentials.
C.Enable persistent cookie for GlobalProtect authentication to maintain session continuity.
D.Verify that the client certificate is not expiring and is properly installed.
AnswerC

Persistent cookies allow the firewall to recognize the user even after IP changes, preventing re-authentication.

Why this answer

Option C is correct because persistent cookies maintain the SAML session across IP changes, which is common when users roam between networks. Option A might help but is not a direct solution for IP changes. Option B is unrelated.

Option D does not affect SAML authentication.

186
MCQeasy

When configuring High Availability on a Palo Alto Networks firewall, which of the following is a best practice for the HA1 control link?

A.Use the management interface (MGT) for HA1
B.Configure HA1 as a subinterface on the HA2 link
C.Configure HA1 over a VLAN on a data interface to save ports
D.Use a dedicated physical interface for HA1, not shared with data traffic
AnswerD

Dedicated interface ensures stable heartbeat.

Why this answer

Option A is correct because a dedicated physical interface for HA1 ensures reliable heartbeat. Option B is wrong because using VLAN over data interface adds latency and risk. Option C is wrong because management interface is not recommended due to traffic load.

Option D is wrong because HA2 is for data sync, not heartbeat.

187
Multi-Selecthard

A security engineer is investigating a potential data exfiltration incident. The firewall logs show that a host in the DMZ made outbound connections to multiple external IPs on port 443, but the traffic was allowed. The engineer wants to review detailed session information including the amount of data transferred and the application used. Which three log types or tools should the engineer use? (Choose three.)

Select 3 answers
A.App-ID logs.
B.Packet capture feature.
C.System logs.
D.URL filtering logs.
E.Traffic logs.
AnswersA, B, E

App-ID logs show the application identified for each session.

Why this answer

App-ID logs (option A) are correct because they provide detailed information about the application associated with each session, which is critical for identifying the specific application used in the outbound connections. Traffic logs (option E) are correct because they record session-level details including source/destination IPs, ports, and the amount of data transferred (bytes sent/received). The packet capture feature (option B) is correct because it allows the engineer to capture and inspect the actual packets for forensic analysis, revealing the exact data payload and application behavior.

Exam trap

The trap here is that candidates often confuse URL filtering logs with traffic logs, thinking URL filtering provides session data transfer details, but URL filtering only logs URL categories and not byte counts or application identity.

188
MCQhard

A firewall is configured with multiple virtual systems (vsys). The administrator notices that one vsys is consuming excessive dataplane resources, affecting others. Which feature should be used to guarantee each vsys a minimum share of CPU and session capacity?

A.Packet filtering rules
B.Session limit rules
C.QoS profiles
D.Resource profiles
AnswerD

Resource profiles allocate CPU, session, and memory resources per vsys.

Why this answer

Option D is correct because resource profiles allow you to allocate CPU, session, and memory limits per vsys. Option A (QoS) manages bandwidth, not CPU. Option B (session limits) only restricts session count, not CPU.

Option C (packet filtering) is not a resource allocation feature.

189
MCQeasy

A GlobalProtect user can successfully authenticate to the portal but cannot connect to the internal gateway. The portal and gateway are configured on the same firewall. What is the most likely cause?

A.User not assigned a license
B.Incorrect gateway IP address in portal configuration
C.Gateway interface not in the same zone as portal
D.Gateway MTU mismatch
AnswerB

The portal configuration must list the correct gateway IP address; otherwise the client cannot reach the gateway.

Why this answer

When a user can authenticate to the portal but cannot connect to the gateway, the portal may be supplying the wrong gateway IP address. The client uses this IP to initiate the gateway connection. If it is incorrect, the connection fails.

190
Multi-Selecthard

Which TWO of the following are valid considerations when configuring Log Forwarding for Panorama? (Choose two.)

Select 2 answers
A.Log forwarding must use TLS encryption
B.Log forwarding requires an external syslog server
C.Log forwarding supports sending logs to multiple destinations
D.Log forwarding can be configured per security policy rule
E.Log forwarding can only send logs to a single Panorama collector
AnswersC, D

Destinations can include Panorama, syslog, email, etc.

Why this answer

Log Forwarding in Panorama supports sending logs to multiple destinations, including syslog servers, email, SNMP traps, and Panorama collectors. This flexibility allows administrators to distribute logs for redundancy, compliance, or analysis across different systems. Option C is correct because Panorama can forward logs to multiple destinations simultaneously, not just one.

Exam trap

The trap here is that candidates assume Log Forwarding is limited to a single destination or requires a syslog server, but Panorama actually supports multiple destinations and various log types without mandating syslog or TLS.

191
MCQmedium

A network administrator is troubleshooting an IPsec site-to-site VPN that fails to establish. IKE phase 1 completes successfully, but phase 2 fails with a 'no proposal chosen' message. Both sides have identical IKE and IPsec crypto profiles, and the pre-shared key is correct. What is the most likely cause of the failure?

A.The proxy IDs (local/remote subnets) do not match between peers
B.The tunnel is configured as route-based instead of policy-based
C.The IKE gateway's local interface is down
D.Dead peer detection is not enabled on the IKE gateway
AnswerA

Mismatched proxy IDs are the most common cause of phase 2 failure.

Why this answer

Option C is correct because phase 2 failure with matching crypto profiles typically indicates a proxy ID mismatch. Option A is incorrect because route-based VPNs still require proxy IDs. Option B is incorrect because the IKE gateway is active.

Option D is incorrect because dead peer detection settings do not affect phase 2 proposal negotiation.

192
MCQhard

A large enterprise uses a Palo Alto Networks firewall as the central hub for site-to-site VPN connections to 50 branch offices. Each branch office has a different subnet (e.g., 10.x.0.0/16 where x is the branch number). The VPN tunnels are configured using IKEv2 with pre-shared keys. Recently, the IT team decided to migrate to certificate-based authentication for improved security. They issued certificates from an internal CA to all branch firewalls and the hub firewall. After the migration, all tunnels failed to establish. The hub firewall logs show 'IKE negotiation failed' with error 'no proposal chosen'. The administrator checks the IKE gateway configuration on the hub: the IKE version is IKEv2, the authentication method is set to 'Certificate', and the certificate profile is configured with the root CA certificate. The administrator also verifies that the branch firewalls have the correct certificates and the hub's certificate is trusted. The branch firewalls' IKE gateways are configured with the hub's IP and pre-shared key (still configured as a fallback). What should the administrator do to resolve the issue?

A.Remove the pre-shared key from the IKE gateway configuration on the branch firewalls.
B.Change the IKE version on the hub to IKEv1.
C.Reissue the hub firewall's certificate with the correct subject name.
D.Ensure the internal CA is reachable from the branch firewalls.
AnswerA

When using certificate authentication, the pre-shared key should not be configured; otherwise the IKE proposal negotiation fails.

Why this answer

When using certificate-based authentication in IKEv2, the IKE gateway configuration must use only the certificate for authentication. If a pre-shared key is also configured, the firewall will attempt to use PSK authentication instead of the certificate, causing a mismatch with the peer expecting certificate-based authentication. This results in the 'no proposal chosen' error because the authentication method proposed (PSK) does not match the expected method (certificate).

Removing the pre-shared key from the branch firewalls' IKE gateway configuration forces them to use the certificate, aligning with the hub's configuration.

Exam trap

The trap here is that candidates assume a pre-shared key can remain as a fallback without affecting the authentication method negotiation, but in Palo Alto Networks IKEv2, the presence of a PSK overrides certificate authentication, causing a proposal mismatch.

How to eliminate wrong answers

Option B is wrong because changing the IKE version to IKEv1 would not resolve the authentication method mismatch; the issue is the authentication method, not the IKE version, and both sides are already configured for IKEv2. Option C is wrong because the hub's certificate subject name is not relevant to the 'no proposal chosen' error; the error indicates a proposal mismatch in authentication method, not a certificate validation issue. Option D is wrong because the internal CA does not need to be reachable during IKE negotiation; certificate validation uses the locally stored root CA certificate, not online CRL or OCSP checks by default, and the administrator already verified the root CA certificate is trusted.

193
MCQhard

A security architect needs to enforce authentication for all application-based policies using an external authentication source with MFA. Which combination of features best achieves this?

A.Local user database with password policies
B.SAML authentication with an identity provider that supports MFA
C.Kerberos authentication with Active Directory
D.RADIUS authentication with one-time passwords via token
AnswerB

SAML allows the firewall to redirect users to the IdP for authentication, including MFA challenges.

Why this answer

Option B is correct because SAML with an IdP that supports MFA allows the firewall to delegate authentication to the IdP, which can enforce MFA. Option A is incorrect because Kerberos does not natively support MFA. Option C is incorrect because local user database does not support external MFA.

Option D is incorrect because RADIUS with one-time passwords may require additional infrastructure and is less flexible than SAML for MFA.

194
MCQmedium

A company is deploying a new firewall in active/passive high availability. The two firewalls are connected directly via the HA1 and HA2 interfaces. After configuration, the passive firewall shows 'HA state: passive' but the active firewall shows 'HA state: non-functional'. What is the most likely cause?

A.The HA1 link is down or misconfigured.
B.The HA2 link is being used for management traffic.
C.The preemptive setting is enabled on both firewalls.
D.The HA2 link is down or misconfigured.
AnswerD

HA2 is required for session synchronization; if it fails, the active firewall reports non-functional.

Why this answer

In active/passive HA, the HA2 link is used for session synchronization and state propagation. If the HA2 link is down or misconfigured, the active firewall cannot synchronize session state to the passive unit, causing it to report 'non-functional' even though the passive unit sees itself as 'passive'. The HA1 link handles heartbeats and configuration sync, which may still be operational, but without a functional HA2 link, the HA pair cannot maintain proper state synchronization, leading to the active firewall's non-functional state.

Exam trap

The trap here is that candidates often assume the HA1 link is the critical path for all HA functionality, but in active/passive mode, the HA2 link is essential for session state synchronization, and its failure causes the active firewall to report 'non-functional' even if HA1 is operational.

How to eliminate wrong answers

Option A is wrong because the HA1 link being down or misconfigured would typically cause both firewalls to show 'non-functional' or 'active/active' issues, not a scenario where the passive shows 'passive' while the active shows 'non-functional'; HA1 is primarily for heartbeat and configuration sync, not session state. Option B is wrong because using the HA2 link for management traffic would cause a configuration conflict or link type mismatch, but the HA2 link is specifically designated for state synchronization and should not be used for management; this would not directly cause the active firewall to show 'non-functional' as described. Option C is wrong because preemptive setting controls whether a passive firewall can become active when it has higher priority, but it does not affect the HA state display of 'non-functional'; preemption is about failback behavior, not link health or state synchronization.

195
Multi-Selectmedium

Which THREE steps should be performed when upgrading an active/passive HA pair to a new PAN-OS version?

Select 3 answers
A.Make the passive firewall active after its upgrade, then upgrade the original active.
B.Upgrade both firewalls at the same time to minimize downtime.
C.Suspend the HA pair's synchronization.
D.Upgrade the passive firewall first.
E.Reconfigure the HA3 link after the upgrade.
AnswersA, C, D

After upgrading the passive, perform a failover so it becomes active, then upgrade the original active.

Why this answer

Option A is correct because in an active/passive HA pair, the recommended upgrade procedure is to first suspend HA synchronization (Option C), then upgrade the passive firewall (Option D), and finally make the upgraded passive firewall active (Option A) before upgrading the original active firewall. This ensures minimal downtime and maintains session state by leveraging the HA3 link for stateful failover. The correct three steps are A, C, and D.

Exam trap

The trap here is that candidates often assume both firewalls must be upgraded simultaneously to minimize downtime, but the correct approach is a sequential upgrade with a controlled failover to maintain session state and redundancy.

196
Multi-Selectmedium

Which TWO troubleshooting steps should be performed when a user cannot access an internal server through a Palo Alto Networks firewall, and the traffic log shows that the session was dropped by a security rule?

Select 2 answers
A.Use the packet capture tool to capture the traffic
B.Check the rule order to see if a rule earlier in the policy is also matching
C.Enable logging at session end for all rules
D.Review the security rule that matched the session to ensure it is configured correctly
E.Check the server's network connectivity
AnswersB, D

Multiple rules may match; an earlier rule might deny the traffic.

Why this answer

When a session is dropped by a security rule, the traffic log will show the specific rule that denied the traffic. The most direct troubleshooting step is to review that rule's configuration (Option D) to ensure the source, destination, application, and service match the intended policy. Additionally, because Palo Alto Networks firewalls evaluate rules in top-down order, a later rule that would allow the traffic may be preempted by an earlier deny rule (Option B); checking rule order is critical to identify such a conflict.

Exam trap

The trap here is that candidates often assume the issue is with the server or network connectivity (Option E) or jump to packet capture (Option A) instead of focusing on the security policy itself, which is the direct cause indicated by the log's 'dropped by security rule' message.

197
MCQmedium

A network administrator is troubleshooting an issue where HTTPS traffic to a particular website is being blocked. The security policy rule allows SSL traffic to that website. The firewall logs show the traffic is being blocked by the URL Filtering profile. The URL Filtering profile is set to allow the category 'Business-and-Economy'. The website belongs to the category 'Shopping'. What action should the administrator take?

A.Change the security policy rule to use a different URL Filtering profile.
B.Disable URL Filtering for that traffic flow.
C.Create a custom URL category for the website and set it to allow.
D.Add the website's IP address to the URL Filtering exclude list.
AnswerC

This precisely allows the specific website while maintaining the overall URL filtering profile.

Why this answer

Option C is correct because creating a custom URL category for the specific website and setting it to allow is the best practice to override the category-based blocking without loosening security. Option A is incorrect because changing the profile might affect other traffic. Option B is incorrect because IP-based exclude lists are not recommended as websites can change IPs.

Option D is incorrect because disabling URL Filtering entirely is too broad.

198
Multi-Selectmedium

Which TWO actions can help App-ID correctly identify a custom application that communicates over TCP port 8443 using SSL/TLS with a known internal hostname?

Select 2 answers
A.Disable App-ID on port 8443.
B.Use an application override with port 8443.
C.Add a custom URL category for the domain.
D.Create a custom application with a hostname condition.
E.Enable SSL forward proxy and import the internal CA certificate.
AnswersD, E

Hostname condition matches the SNI to identify the application.

Why this answer

Options A and B are correct: Enabling SSL forward proxy with the internal CA allows decryption to see the SNI, and creating a custom application with a hostname condition uses that SNI for identification. Option C is wrong because disabling App-ID on that port prevents identification. Option D is wrong because an application override bypasses App-ID.

Option E is wrong because URL categories do not affect App-ID.

199
MCQeasy

An HA pair is configured with Active/Passive mode. The passive firewall fails to become active after the active firewall's management interface goes down. What is the most likely cause?

A.HA1 keepalive failure is not detected
B.Management interface failure is not a monitored condition by default
C.HA2 link monitoring is not enabled
D.Session synchronization is not complete
AnswerB

Management interface down does not trigger HA failover unless explicitly configured under device HA.

Why this answer

Option C is correct because by default, management interface failure does not trigger a failover. Option A is wrong because HA1 keepalive failure would trigger failover. Option B is wrong because HA2 link down would trigger if configured.

Option D is wrong because session synchronization failure does not cause failover.

200
MCQeasy

When configuring a custom application signature, which field is mandatory to define the application?

A.Category
B.Protocol
C.Port
D.Subcategory
AnswerB

Protocol is required for the firewall to know which signatures to apply.

Why this answer

Option B is correct because the protocol (TCP, UDP, etc.) is required for signature matching. Option A is wrong because category is optional. Option C is wrong because ports are optional if using protocol decoder.

Option D is wrong because subcategory is optional.

201
MCQeasy

An organization has a pair of PA-5250 firewalls in active/passive HA. During a maintenance window, the active firewall is rebooted. After the reboot, the firewall that was passive becomes active and passes traffic. However, the other firewall remains in a non-functional state and shows 'unknown' as HA state. The administrator checks the HA configuration and finds both firewalls have the same HA settings. What is the most likely issue?

A.The backup firewall has a different software version.
B.The floating IP addresses are not configured.
C.The HA keepalive timer is too short.
D.The HA control link is down or misconfigured.
AnswerD

A functional control link is essential for HA communication; if down, the peer shows 'unknown'.

Why this answer

Option B is correct because if the HA control link is down or misconfigured, the firewalls cannot exchange heartbeats, causing the HA state to be 'unknown'. Option A is incorrect because a short keepalive timer would cause flapping, not 'unknown'. Option C is incorrect because different software versions would prevent HA formation.

Option D is incorrect because floating IPs are not related to HA state.

202
MCQmedium

An administrator notices that traffic from zone A to zone B is being dropped silently. Security rules are in place. Troubleshooting shows that the session does not appear in the session table. What is the most likely cause?

A.The traffic is being decrypted by an SSL Forward Proxy rule.
B.The traffic is taking an asymmetric path and the firewall sees only one direction.
C.The traffic is matched by a rule with action 'deny' and logging is disabled.
D.The interzone default rule is set to deny.
AnswerB

Asymmetric routing prevents session setup, causing silent drops.

Why this answer

When traffic is silently dropped and the session does not appear in the session table, it indicates that the firewall never saw the complete three-way TCP handshake or the first packet of the flow. Asymmetric routing causes the firewall to see only one direction of traffic (e.g., only the SYN from zone A to zone B but not the SYN-ACK return), so the firewall cannot create a session entry because it requires both directions to validate the state. This results in a silent drop without any session table entry or log entry.

Exam trap

Palo Alto Networks often tests the misconception that a deny rule or default rule would cause the session to be absent from the session table, but in Palo Alto firewalls, even denied sessions appear in the session table (with a deny action) — the absence of any session entry points specifically to asymmetric routing or a packet that never reached the firewall.

How to eliminate wrong answers

Option A is wrong because SSL Forward Proxy decryption occurs after a session is established and appears in the session table; it does not cause sessions to be absent from the table. Option C is wrong because a deny rule with logging disabled would still create a session entry (with a deny action) in the session table, and the traffic would be logged if logging at session end is enabled; the absence of a session table entry indicates the firewall never processed the session at all. Option D is wrong because the interzone default rule being set to deny would still create a session entry (with a deny action) in the session table, and the traffic would be logged if logging is enabled; the session table would show the denied session, not be empty.

203
MCQhard

After configuring SAML authentication for GlobalProtect, users report they are repeatedly prompted for credentials even though they already authenticated via the IdP. The firewall logs show 'saml-auth-success' but the portal log shows 'user-login-failure: invalid saml assertion'. What is the most likely cause?

A.The IdP does not support IdP-initiated SAML flow
B.The user mapping agent is not configured
C.The firewall and IdP system clocks are out of sync
D.The SAML identity provider certificate is expired
AnswerC

Time skew can cause SAML assertion validation failure.

Why this answer

The firewall logs show 'saml-auth-success' (meaning the IdP successfully authenticated the user and issued a SAML assertion), but the portal log shows 'user-login-failure: invalid saml assertion'. This indicates the firewall received the assertion but rejected it as invalid. The most common cause for a validly signed assertion to be rejected is clock skew between the firewall and the IdP, because SAML assertions contain timestamps (NotBefore and NotOnOrAfter conditions) that are checked against the local system clock.

If the clocks differ by more than the allowed skew (typically 5 minutes), the assertion is considered invalid even though it was correctly signed.

Exam trap

The trap here is that candidates see 'saml-auth-success' and assume the authentication succeeded end-to-end, but they miss that the firewall's portal log rejection indicates a validation failure on the assertion itself, not a failure at the IdP.

How to eliminate wrong answers

Option A is wrong because IdP-initiated SAML flow is not required for GlobalProtect; GlobalProtect uses SP-initiated SAML flow, where the firewall (service provider) redirects the user to the IdP. The error here is about assertion validation, not about which party initiated the flow. Option B is wrong because the user mapping agent is used for mapping IP addresses to usernames for policy enforcement, not for SAML authentication validation; the error occurs during the SAML assertion validation phase, before any user mapping would occur.

Option D is wrong because if the IdP certificate were expired, the firewall would fail to validate the signature on the SAML assertion and would log a signature validation error, not an 'invalid saml assertion' error; the logs show 'saml-auth-success' from the IdP side, meaning the certificate was valid at the time of signing.

204
MCQeasy

A network administrator notices that traffic from a specific IP address is being blocked unexpectedly. The traffic is allowed in the security policy. What is the most likely cause?

A.The source zone is incorrectly assigned.
B.The application override is misconfigured.
C.The profile settings for the security policy are blocking the traffic.
D.The IP address is on a block list in the External Dynamic List (EDL).
AnswerD

An EDL block list overrides security policy rules.

Why this answer

Option A is correct because an External Dynamic List (EDL) configured with a block list can override the security policy and block traffic. Options B, C, and D are less likely causes for this specific symptom.

205
MCQmedium

An engineer is configuring SSL Forward Proxy decryption for internal users. The firewall must decrypt traffic to all external HTTPS sites except specific financial services domains that require end-to-end encryption. Which best practice should the engineer implement to achieve this?

A.Disable decryption globally and create a custom URL category for the financial domains to enable decryption only for those.
B.Create two Decryption Policy rules: one with 'ssl-decrypt' action for the general category and a second rule with 'no-decrypt' action for the financial domains.
C.Upload the server certificates for the financial domains to the firewall and enable 'no-decrypt' on the Decryption Profile.
D.Configure a single Decryption Policy rule with a 'decrypt' action and add the financial domains to the 'Exclude Certificate' list.
AnswerB

This allows decryption of most traffic while exempting the specified domains, following best practice.

Why this answer

Option B is correct because it follows the best practice of using a 'no-decrypt' rule with higher priority than the 'ssl-decrypt' rule to exclude specific traffic from decryption. This ensures that traffic to financial services domains is not decrypted, while all other external HTTPS traffic is decrypted as required.

Exam trap

The trap here is that candidates may confuse the 'Exclude Certificate' list in the Decryption Profile with a method to prevent decryption, when in fact it only affects certificate re-signing, not the decryption action itself.

How to eliminate wrong answers

Option A is wrong because disabling decryption globally and then enabling it only for specific domains would require decryption of financial traffic, which contradicts the requirement for end-to-end encryption. Option C is wrong because uploading server certificates for financial domains and enabling 'no-decrypt' on the Decryption Profile does not prevent decryption; the 'no-decrypt' action must be set in the Decryption Policy rule, not the profile. Option D is wrong because adding financial domains to the 'Exclude Certificate' list in a Decryption Profile only excludes those certificates from being re-signed, but the traffic is still decrypted, which violates the end-to-end encryption requirement.

206
MCQhard

A company uses a custom application definition for a proprietary application that runs on UDP port 12345. The security rule allowing the application is configured, but traffic logs show the application as 'unknown' instead of matching the custom app. What is the most likely cause?

A.The custom application signature is not associated with the security rule.
B.The firewall is running in L2 mode.
C.The traffic is not matching the app's protocol or port in the signature.
D.The application timeout is too short.
AnswerC

If the actual traffic uses a different port or protocol than defined, App-ID will not match.

Why this answer

Option C is correct because the custom application definition specifies UDP port 12345, but if the actual traffic uses a different port or does not match the protocol (UDP) defined in the signature, the firewall will classify it as 'unknown'. The security rule allows the application, but the traffic must first be identified by the App-ID engine based on the signature's protocol and port criteria; a mismatch here prevents proper classification.

Exam trap

The trap here is that candidates assume a security rule referencing a custom application will automatically classify all traffic on that rule as the application, but App-ID requires the traffic to match the signature's protocol and port criteria first.

How to eliminate wrong answers

Option A is wrong because custom application signatures are automatically associated with the security rule when the rule references the application; no separate association step is needed. Option B is wrong because L2 mode does not affect App-ID classification; the firewall still performs application identification regardless of the deployment mode. Option D is wrong because the application timeout controls how long a session remains active after traffic stops, not whether the traffic is initially identified as the custom application.

207
MCQhard

After upgrading a firewall pair from PAN-OS 9.1 to 10.0, a route-based IPsec VPN to a partner is no longer establishing. The tunnel is configured with a tunnel interface (tunnel.1) with IP 10.0.0.1/30 and the remote tunnel interface is 10.0.0.2/30. IKE phase 1 completes successfully, but phase 2 fails with 'no proposal chosen' on both sides. Both firewalls have identical IPsec crypto profiles (ESP-AES-256, SHA-256, DH-5, 1-hour lifetime). What is the most likely cause?

A.The tunnel interface IP address conflicts with another interface
B.The new PAN-OS version requires a stronger DH group for IPsec
C.The proxy ID configuration was removed during the upgrade
D.A security policy block IKE is blocking the tunnel
AnswerC

Proxy IDs are required for route-based VPNs to map traffic; if missing, phase 2 fails.

Why this answer

Option C is correct because after an upgrade, proxy ID configurations may be lost or reset. Option A is incorrect because the crypto profiles are identical. Option B is incorrect because route-based VPNs use proxy IDs for traffic selection.

Option D is incorrect because the security policy would affect phase 1.

208
MCQmedium

A network engineer is troubleshooting a slow file transfer through a PA-5200. The file transfer is between two sites connected via IPsec VPN. The firewall has a symmetric crypto profile with AES-256 and SHA-256. The throughput is lower than expected. The engineer checks the dataplane CPU and sees it is 30%. The firewall's interface counters show no errors. What should be the first step to improve throughput?

A.Disable anti-replay protection.
B.Enable hardware acceleration for VPN.
C.Change the encryption algorithm to AES-128.
D.Increase the MTU on the tunnel interface.
AnswerB

Hardware acceleration uses dedicated chips to handle crypto, freeing CPU and increasing throughput.

Why this answer

Option B is correct because enabling hardware acceleration offloads VPN processing from the CPU, which improves throughput even if CPU is not at 100%.

209
MCQmedium

A company uses a custom application for internal VoIP traffic. The custom App-ID signature is configured with the correct protocol and port, but traffic is still not matching. The firewall shows the application as 'unknown-tcp'. What should the administrator check next?

A.Verify that the port range in the custom application is correct.
B.Update the App-ID signature database.
C.Check for asymmetric routing on the firewall.
D.Ensure a protocol decoder (e.g., SIP) is enabled for the application.
AnswerD

VoIP often uses dynamic ports; a protocol decoder is needed for full identification.

Why this answer

Option C is correct because many VoIP applications use dynamic ports after initial connection, so a protocol decoder (like SIP or H.323) may be needed. Option A is incorrect because the port is already configured. Option B is incorrect because asymmetric routing would affect detection but is less likely for internal VoIP.

Option D is incorrect because signature updates are not relevant for custom apps.

210
MCQeasy

An administrator has configured an authentication profile with LDAP and sets the authentication sequence to 'continue on failure'. A user enters an incorrect password first, then correct. Will the user be authenticated?

A.Yes, because the sequence continues on failure and the second attempt succeeds.
B.Yes, but only if the LDAP server is configured for multiple attempts.
C.No, because the first failure blocks authentication.
D.No, because the sequence stops on success, but the first attempt failed.
AnswerD

‘Continue on failure’ means on failed authentication, the next factor is tried. Since the second factor succeeded, the user is authenticated.

Why this answer

With 'continue on failure', if the first factor fails, the sequence proceeds to the next factor. When the second factor succeeds, authentication is granted. Option D is correct.

211
MCQhard

Two Palo Alto Networks firewalls are configured in an active/passive HA pair. During a scheduled maintenance, the network team reboots both firewalls simultaneously. After reboot, both firewalls appear as 'active' in the HA state. What is the most likely cause and the correct troubleshooting step?

A.Both firewalls have the same priority; the tie is broken by serial number, but due to simultaneous reboot, both came up as active. The solution is to reboot one firewall.
B.The HA configuration is set to active/active mode instead of active/passive.
C.The heartbeat link between the firewalls is missing or fails, causing each to believe the other is down. The correct step is to restore the heartbeat link and then set the appropriate firewall as passive.
D.The heartbeat interfaces are not configured on each firewall.
AnswerC

Split-brain is usually due to lost heartbeat; restoring it and setting one as passive resolves.

Why this answer

In an active/passive HA pair, each firewall monitors the peer's health via the heartbeat link. If the heartbeat link fails, each firewall assumes the peer is down and transitions to active state to ensure traffic continuity. Simultaneous reboot does not cause both to become active unless the heartbeat link is absent or broken; restoring the heartbeat link and forcing one firewall to passive resolves the split-brain scenario.

Exam trap

The trap here is that candidates assume simultaneous reboot causes a priority tie, but the real issue is the missing heartbeat link, which prevents the firewalls from detecting each other's state after reboot.

How to eliminate wrong answers

Option A is wrong because priority and serial number tie-breaking only apply when both firewalls attempt to become active at the same time with a functional heartbeat; simultaneous reboot does not override the need for heartbeat communication. Option B is wrong because active/active mode would require explicit configuration and would not cause both to appear active after reboot if the heartbeat link were functional; the symptom described matches a heartbeat failure, not a mode misconfiguration. Option D is wrong because the heartbeat interfaces must be configured for HA to function; if they were not configured, the firewalls would not form an HA pair at all, but the question states they are in an HA pair, implying heartbeat interfaces are configured.

212
MCQhard

An organization is deploying SSL inbound proxy decryption (SSLi) to protect servers in a DMZ. Which consideration is critical for the firewall to properly decrypt inbound traffic destined to these servers?

A.The firewall must present the server's public certificate to clients.
B.The firewall must have a trusted CA certificate installed.
C.The firewall must possess the server's private key to re-encrypt traffic.
D.The firewall must be configured to only accept TLS 1.2 or higher.
AnswerC

Required for the firewall to act as a proxy.

Why this answer

In SSL inbound proxy decryption (SSLi), the firewall acts as a man-in-the-middle. To decrypt the client's encrypted request, it must terminate the TLS connection from the client. To then re-encrypt and forward the request to the destination server, the firewall needs the server's private key to generate a new TLS session with the server.

Without the private key, the firewall cannot complete the re-encryption handshake with the server, making option C correct.

Exam trap

The trap here is that candidates often confuse inbound decryption (where the firewall needs the server's private key) with outbound decryption (where the firewall needs a trusted CA certificate to generate certificates for clients), leading them to incorrectly select option B.

How to eliminate wrong answers

Option A is wrong because the firewall does not present the server's public certificate to clients; instead, it generates a new certificate on-the-fly (often signed by an internal CA) to present to the client, while the server's original certificate is used only for the firewall-to-server leg. Option B is wrong because a trusted CA certificate is required for the firewall to validate server certificates during outbound decryption, not for inbound decryption where the firewall already controls the server's private key. Option D is wrong because TLS version restrictions (e.g., only TLS 1.2 or higher) are a security best practice but not a critical requirement for the firewall to perform decryption; the firewall can decrypt any TLS version it supports.

213
Multi-Selecteasy

A network engineer is configuring a new GlobalProtect gateway to provide remote access. Which TWO items are required for the gateway to function properly?

Select 2 answers
A.A certificate for the gateway
B.An authentication profile
C.An IP pool for client IP assignment
D.A split tunneling configuration
E.A clientless VPN configuration
AnswersA, C

Required to secure the TLS tunnel.

Why this answer

A certificate is required for the gateway to terminate TLS connections, and an IP pool is required to assign IP addresses to VPN clients. An authentication profile can be configured but is not strictly required if the portal handles authentication. Clientless VPN and split tunneling are optional features.

214
MCQmedium

Refer to the exhibit. A network engineer wants to allow only 'ms-update' and 'facebook-base' traffic. After committing the above security policy, they find that 'ssl' traffic is also being allowed. What is the most likely reason?

A.Rule 1 allows all applications because it uses 'application any'.
B.App-ID is not enabled on the firewall.
C.Rule 4 is a deny rule but it is not effective because the traffic is allowed earlier.
D.The rule order is incorrect; rule 3 should be moved before rule 1.
AnswerA

Rule 1 matches all applications before the more specific rules, causing all traffic to be allowed.

Why this answer

Rule 1 uses 'application any', which matches all applications regardless of the specific App-ID. Since security policies are evaluated from top to bottom and the first matching rule is applied, any traffic that matches Rule 1's source, destination, and service will be allowed, including 'ssl' traffic. The explicit allow rules for 'ms-update' and 'facebook-base' are irrelevant because Rule 1 catches all traffic first.

Exam trap

Palo Alto Networks often tests the misconception that adding a deny rule later in the policy will block traffic that was already allowed by an earlier rule, but the trap here is that rule order is evaluated top-down and the first match wins, so a broad allow rule with 'application any' will permit all traffic before any deny or specific allow rules are reached.

How to eliminate wrong answers

Option B is wrong because if App-ID were not enabled, the firewall would not be able to identify any applications, and traffic would be handled by the default interzone rule (typically deny), not by allowing 'ssl' traffic. Option C is wrong because Rule 4 being a deny rule is irrelevant; the issue is that traffic is matched and allowed by an earlier rule (Rule 1) before reaching any deny rule. Option D is wrong because moving Rule 3 before Rule 1 would not fix the problem; Rule 1 would still match all traffic first, and Rule 3 would never be evaluated for traffic that matches Rule 1.

215
Drag & Dropmedium

Order the steps to upgrade the PAN-OS software on a standalone firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Upgrade requires download, upload, install, reboot, and verification.

216
MCQmedium

A company has two Palo Alto Networks firewalls configured in active/passive HA. During a failover test, the passive firewall becomes active but traffic is not passing. The active firewall shows the correct configuration and licenses. Which action is most likely to resolve the issue?

A.Enable preemption on the HA configuration.
B.Re-apply the licenses on the newly active firewall.
C.Perform a configuration synchronization from the original active firewall.
D.Disable the HA2 link to force stateful failover.
AnswerC

The passive may have an outdated or incomplete config; sync ensures it matches the active.

Why this answer

Option C is correct because the most likely cause of traffic failure after a failover is that the configuration on the newly active firewall is out of sync with the original active firewall. In active/passive HA, configuration synchronization (config sync) is typically enabled, but if it was not performed before the failover or if the passive device had a stale configuration, critical settings such as interface IPs, security policies, or routing entries may be missing or incorrect. Performing a configuration synchronization from the original active firewall ensures the new active device has the exact same configuration, restoring traffic flow.

Exam trap

The trap here is that candidates often assume a failover automatically includes full configuration synchronization, but in reality, config sync must be explicitly enabled and successfully completed beforehand, and a stale passive device will not pass traffic until a manual sync is performed.

How to eliminate wrong answers

Option A is wrong because preemption controls which device becomes active after a failure is resolved, not the ability to pass traffic during a failover; it does not fix a configuration mismatch. Option B is wrong because licenses are shared in an HA pair and do not need to be re-applied after failover; the passive firewall already has the same licenses as the active device. Option D is wrong because disabling the HA2 link would break the state synchronization and heartbeat path, potentially causing both firewalls to become active (split-brain) or losing session state, which would not resolve a configuration issue and would worsen the problem.

217
MCQmedium

A multinational corporation uses GlobalProtect with multiple gateways distributed globally for load balancing. The portal has 'Enable Location Awareness' enabled and region mapping is configured to map APAC users to the APAC gateway, US users to the US gateway, etc. Recently, users in the APAC region are being redirected to the US gateway, causing high latency. The AD admin confirms that users are in the correct APAC subnets. What is the most likely misconfiguration?

A.The APAC gateway's region mapping is configured with incorrect IP subnets
B.The location awareness database is outdated for APAC IP subnets
C.The APAC gateway's IP pool is exhausted
D.The portal's 'Primary Gateway' is set to the US gateway
AnswerB

An outdated database can cause incorrect gateway assignment.

Why this answer

Option A is correct because if the location database is outdated, the portal cannot determine the correct region. Option B is incorrect because the IP pool does not affect location redirection. Option C is incorrect because the primary gateway setting is not used with location awareness.

Option D is incorrect because the admin has already enabled region mapping.

218
MCQhard

After a power failure, both firewalls in an HA pair come up and report 'active' state. The network team confirms that the two firewalls are connected via HA1 and HA2. What is the most likely cause of the split-brain condition?

A.The HA1 keepalive hold timer is set too low, causing both to become active before learning peer state
B.The active firewall has a higher software version
C.Preemption is enabled on both firewalls
D.HA2 link is configured but not used for election
AnswerA

A short hold timer can lead to premature failover during boot.

Why this answer

Option A is correct because the HA keepalive hold timer on HA1 is too short, causing each firewall to assume the other is dead during power-up. Option B is wrong because HA2 is for data sync. Option C is wrong because preempt is about becoming active.

Option D is wrong because version mismatch would show configuration mismatch, not dual active.

219
MCQmedium

A company implements SSL Forward Proxy decryption. Users complain that accessing certain websites, such as video streaming and software updates, is slow. Which action should the administrator take to improve performance?

A.Increase the SSL session cache to 1024.
B.Upgrade the firewall to a higher model.
C.Exclude known high-traffic sites from decryption.
D.Enable SSL session re-use.
AnswerC

Best practice is to exclude categories like streaming and updates from decryption to reduce load.

Why this answer

Option C is correct because excluding known high-traffic sites (e.g., video streaming and software update servers) from SSL Forward Proxy decryption reduces the processing overhead on the firewall. Decrypting and re-encrypting high-volume traffic consumes significant CPU and memory resources, causing latency. By bypassing decryption for these sites, the firewall can forward traffic directly, improving performance without sacrificing security for other traffic.

Exam trap

The trap here is that candidates often focus on optimizing TLS handshake performance (session cache or reuse) rather than recognizing that the primary bottleneck is the decryption of large data payloads, which is unaffected by handshake optimizations.

How to eliminate wrong answers

Option A is wrong because increasing the SSL session cache to 1024 (the maximum supported value) only helps with session reuse for previously decrypted connections, but it does not address the fundamental bottleneck of decrypting high-traffic streams; the cache reduces handshake overhead, not bulk data processing. Option B is wrong because upgrading to a higher model firewall is a costly, long-term solution that does not solve the immediate performance issue; the problem is likely due to decryption of high-volume traffic, not insufficient hardware capacity for normal operations. Option D is wrong because enabling SSL session reuse (via session IDs or session tickets) reduces the number of full TLS handshakes but does not reduce the decryption workload for the actual data transfer; the slowdown is from decrypting large payloads, not from repeated handshakes.

220
Multi-Selecthard

A network engineer is troubleshooting an issue where a web application is being incorrectly identified as 'web-browsing' instead of 'webmail-gmail' by the Palo Alto Networks firewall. The firewall has App-ID enabled and all signatures are up to date. Which TWO actions should the engineer take to resolve this misidentification?

Select 2 answers
A.Disable unknown application identification to force stricter matching.
B.Create a custom App-ID for webmail-gmail with stricter signatures.
C.Review the session log to see if the application changed during the session.
D.Increase the application identification timeout to allow more time for identification.
E.Enable packet capture on the security rule to collect traffic for analysis.
AnswersC, E

Session logs show App-ID updates; the application may have been re-identified later.

Why this answer

Option C is correct because App-ID can reclassify a session as more data becomes available. A session that starts as 'web-browsing' may later be identified as 'webmail-gmail' once the firewall sees application-specific traffic (e.g., SMTP, IMAP, or proprietary Gmail API calls). Reviewing the session log to see if the application changed during the session helps confirm whether the firewall eventually identified the correct application.

Exam trap

The trap here is that candidates assume a static, one-time identification and overlook the fact that App-ID can dynamically reclassify a session as more data is analyzed, making the session log a critical diagnostic tool.

221
MCQhard

An organization has two different applications (AppA and AppB) that both use TCP port 8080. The firewall must apply different security policies to each application. What is the recommended approach?

A.Use source/destination IP addresses in security policies instead of App-ID.
B.Add the applications on separate virtual wire interfaces.
C.Change the port of one application to a different value.
D.Create an application override policy to identify each application by IP address.
AnswerD

Application override matches based on user-defined criteria, allowing separate policies.

Why this answer

Option B is correct because application override allows you to force a custom application identification based on criteria like IP addresses, even on the same port. Option A is wrong because changing port is not always feasible. Option C is wrong because using only IP addresses is not sufficient for port sharing.

Option D is wrong because additional interfaces do not solve the identification problem.

222
MCQmedium

An organization uses captive portal authentication. Users report that after closing the browser, they are still authenticated and can access resources without re-authenticating. How can the administrator enforce re-authentication after browser closure?

A.Clear the 'allow session cookie' option in the captive portal profile.
B.Configure the authentication enforcement to require authentication for each session.
C.Set the session timeout to 0 in the captive portal profile.
D.Disable the 'session cookie' setting in the captive portal profile and change the authentication profile to use RADIUS.
AnswerA

This disables the session cookie, so when the browser is closed, the session ends and re-authentication is required.

Why this answer

Captive portal uses a session cookie to maintain authentication. Clearing the 'allow session cookie' option forces the user to authenticate for each new browser session. Option B is correct.

223
Multi-Selecteasy

An administrator needs to configure a firewall to send email alerts when a specific security policy rule is triggered. Which two configuration elements are required? (Choose two.)

Select 2 answers
A.A 'Security Policy' rule with 'Log at Session End' enabled.
B.An 'Email Server' profile configured with SMTP server details.
C.A 'Log Forwarding' profile that includes email notification.
D.A 'Panorama' template to push the configuration.
E.A 'User-ID' agent to identify users.
AnswersB, C

This profile is referenced by the log forwarding profile to send the email.

Why this answer

Options A and B are correct. A log forwarding profile defines the action (email), and an email server profile defines the SMTP server details. The security policy rule itself also needs logging enabled, but the question specifically asks for elements to send email alerts, which are the log forwarding profile and the email server profile.

224
MCQhard

Refer to the exhibit. The firewall is active in an HA pair, but the peer is non-functional. The HA2 link is down. What is the most likely cause of the peer being non-functional?

A.The HA3 link is down
B.The HA2 link is down, preventing session synchronization
C.The peer firewall is running a different PAN-OS version
D.The HA1 link is down
AnswerC

Version mismatch causes non-functional state.

Why this answer

Option C is correct because when an HA pair detects a version mismatch between peers, the firewall with the higher PAN-OS version will not form an active/passive HA state and will remain non-functional (or in a 'non-functional' state) to prevent configuration or session incompatibilities. The HA2 link being down is a separate issue that affects session synchronization but does not cause the peer to be completely non-functional; the peer can still operate with reduced HA capabilities. A version mismatch is a critical condition that prevents HA peering entirely, leading to one peer appearing non-functional.

Exam trap

The trap here is that candidates often assume a down HA2 link directly causes a peer to be non-functional, but in reality, HA2 only affects session sync, not the firewall's ability to operate or form an HA pair, whereas a version mismatch is a hard blocker for HA formation.

How to eliminate wrong answers

Option A is wrong because the HA3 link is used for packet forwarding (active/active HA) and is not required for basic HA peering or state determination; its absence would not cause a peer to be non-functional. Option B is wrong because the HA2 link being down only prevents session synchronization (stateful failover), but the peer can still function as a standalone firewall and participate in HA heartbeats over HA1; it does not render the peer non-functional. Option D is wrong because the HA1 link is the control link used for heartbeats and configuration synchronization; if it were down, the firewalls would not detect each other, but the question states the HA2 link is down, not HA1, and the peer being non-functional is attributed to a version mismatch, not a missing HA1 link.

225
MCQmedium

A security policy rule is configured to deny traffic, but no logs are generated when the traffic is denied. Which of the following is the most likely reason?

A.The firewall's system log rate is exceeded and logs are dropped.
B.The rule has logging disabled for the 'deny' action.
C.The rule is not being matched because a previous rule allows the traffic.
D.The rule is configured to log at session end, but the session ends immediately upon denial, so no log is generated.
AnswerD

Denied sessions are not established; they end immediately. Logging at session end does not trigger for sessions that never start. To log denied traffic, enable logging at session start.

Why this answer

Option B is correct because by default, interzone rules log at session end only for allowed traffic; denied traffic may not generate logs if logging is not explicitly enabled. Option A is wrong because disabling logging per rule is a common oversight. Option C is wrong because system logs are not related to security policy logs.

Option D is wrong because the rule can still deny without logging.

Page 2

Page 3 of 7

Page 4

All pages